IT as a profession when compared to other professions is relatively new. As such even 10-15 years ago, many ‘control measures’ used within the profession currently either did not exist or were not used by many organisations. I will use the word ‘control measures’ to describe all the standards, laws, frameworks and best practice guidelines as a collective for the purpose of this blog post. As the profession has matured, a plethora of ‘control measures’ have continued to emerge and organisations have adopted these ‘control measures’ as their IT has matured. The purpose of today’s blog post is to clarify these ‘control measures’ to aid further adoption where required. All these ‘control measures’ arrive with a caveat however. Organisations need to find an acceptable level of ‘control measures’ that ensure that the organisation is adept at dealing with security threats and any prevailing laws that affect it, locally or globally. If organisations are not careful, they could spend unnecessary amounts of time implementing different but complementary ‘control measures.’ The best is to find happy mediums that will allow the organisation to meet its business objectives without spending too much time on ‘control measures.’

This is a topic for another day but I have seen many organisations’ spend enormous amounts of time on preparing the ‘perfect’ business case consisting of 100’s of pages and not enough time on planning to ‘fit business requirements’ or actually actioning the project (too much planning, not enough action). The same is true for ‘control measures’, even with ‘control measures’ such as Sarbanes Oxley and Basel II, the banks still managed to crash the world economy (averted only by global governments leading ‘control measures’). Let’s also not forget that no system is completely 100% secure either! I will cover as much as I can today and hope that if I miss anything, my readers can engage as usual and assist in not only filling in the blanks but making it a truly interactive discussion.

According to the Symantec 2010 state of enterprise security study(Click here for 2011 study)You Tube 2010 (Click here for You Tube 2011), 75 % of organisations are losing on average $2 million annually ($2.8 million for the largest ones). ‘The study found that 42 percent of organisations rate security their top issue. This isn’t a surprise, considering that 75 percent of organisations experienced cyber attacks in the past 12 months. These attacks cost enterprise businesses an average of $2 million per year. Organisations reported that enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues. The study is based on surveys of 2,100 enterprise CIOs, CISOs and IT managers from 27 countries in January 2010.’Symantec’s study found that organisations are exploring approximately 19 different standards or frameworks and are using 8 of them. I am predominantly covering these 8 and a few others.

Firstly, let me quickly define the four ‘control measures’ that I will be using (Courtesy of Dictionary.com):

1. Standards:

Something considered by an authority or by general consent as a basis of comparison; an approved model.

2. Frameworks or Best practice guidelines:

I. Frameworks – A set of assumptions, concepts, values, and practices that constitute a way of viewing reality.

II. Best Practice – A technique or methodology that, through experience and research, has reliably led to a desired or optimum result. For example, a manual documenting best practices in the industry.

My research shows that these two terms are used inter changeably, so to avoid further confusion, I will be bundling them together.

3. Law:

Any written or positive rule or collection of rules prescribed under the authority of the state or nation, as by the people in its constitution.For example, statute law.

I. ISO 27001 consists of two parts. ISO/IEC 27001:2005 (formerly BS 7799-2:2002) that specifies Information Security Management and ISO/IEC 27002:2005 (previously named ISO/IEC 17799:2005) that specifies the code of practice for Information Security Management. An important aspect to remember regarding this standard is that it replaces and incorporates the old BS 7799 standard. In my opinion, this standard should be adopted by most organisations, especially global players.

II.ISO/IEC 20000 defines the requirements for a service provider to deliver managed services. ITIL provides good practice guidelines, advice and options that can be selectively adopted and adapted. ISO/IEC 20000 is a standard in two parts. Part 1, ISO/IEC 20000-1 is the distillation of the “must do” practices of service management. Part 2, ISO/IEC 20000-2 is a code of practice giving advice. Achieving ISO/IEC 20000 is undertaken when organisations want to test and prove they have adopted ITIL advice.

III. Basel IIis the second of the Basel Accords that are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision (BIS). The purpose of Basel II, is to create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face. Basel II holds financial institutions accountable for the economic consequences of high operational risk (e.g., the neglect of data security) and helps reap the economic rewards of lowering operational risk (e.g., the deployment of data security measures). Within its three “pillars” of thought—(1) Minimum Capital Requirements; (2) Supervisory Review; and (3) Market Discipline—Basel II addresses several key security requirements.

IV. PCI DSS – The Payment Card Industry Data Security Standard . The Payment Card Industry (PCI) data security framework was created by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. Prior to 2004, each of the associations had a proprietary set of information security requirements which were often burdensome and repetitive for participants in multiple brand networks. The associations subsequently created a uniform set of information security requirements for all national card brands. These requirements became known as the PCI Data Security Standard (PCI DSS), governing all the payment channels: Retail, mail orders, telephone orders and e-commerce. The PCI DSS framework is divided into 12 security requirements.

I. ITIL (UK) –The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for managing Information Technology (IT) services (ITSM) that includes security management. It describes the organisation of IT resources to deliver business value, documents processes, functions and roles in IT Service Management (ITSM). ITIL introduced the concept of service desks intended to provide a Single Point of Contact and a common database to meet the communication needs between the users and IT providers. The original version of ITIL was developed at the same time as, and in alignment with BS 15000, the former UK standard for IT Service Management. BS15000 was fast-tracked in 2005 to become ISO/IEC 20000, the first international standard in ITSM.

I. HIPAA (USA) –The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (enacted by US congress in 1996). It protects health insurance coverage for workers and their families when they change or lose their jobs. The Security Rule is a key part of HIPAA. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.

II. Sarbanes Oxley (USA) – The bill was enacted as a result of major corporate accounting scandals including Enron and WorldCom. According to Mark Rasch, ‘IT security is important under SOX only to the extent that it enhances the reliability and integrity of that reporting. Because of SOX’s reliance on controls, the Committee of Sponsoring Organizations of the Treadway Commission (headed by former SEC member James Treadway) developed a series of controls for financial processes which are now known as the COSO guidelines. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. For IT auditors, the relevant guidelines are COBIT (Control Objectives for Information and Related Technologies) which is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. (In the UK, there is the IT Infrastructure Library, published by the Office of Government Commerce in Great Britain which compliments COBIT.) These are a series of IT controls which should be in place in order to make such a SOX certification with respect to IT.’

III. Data Protection Act (UK) 1998 – Defines UK law on the processing of data on identifiable living people (extended the scope of data protection beyond automatically processed data). It was enacted to bring UK law into line with the European Directive of 1995 that required Member States to protect people’s fundamental rights and freedom, in particular their right to privacy with respect to the processing of personal data. In practice it provides a way for individuals to control information about themselves. In terms of IT security the data needs to be Secured against accidental loss, destruction or damage and against unauthorised or unlawful processing – this applies even if the business uses a third party to process personal information.

In summary, Symantec’s study found that organisations are exploring approximately 19 different standards or frameworks and are using 8 of them. This is without taking into account specific areas and industries. Any organisation’s IT security strategy should take into account these three areas of standards, Frameworks or Best practice guidelines and law and ensure that it selects appropriately from within these three areas. On going developments such as the recent health care reform bill (USA) will continue to have their own implications on IT security.

Even when I was in university, I used to be both fascinated and confused by law. It was just as well that I had to contend with just one module of law as I made a conscientious decision that when I embarked on my career, I would leave the law and related computer crime etc to lawyers. As most of my regular readers know by now, I am usually sat around subconsciously searching for a topic. I don’t usually have a list of topics lying around and usually during the week something happens that leads to an article being posted. Well, it’s either that or on the weekend, I have a sudden panic attack that leads to me writing or babbling on about something. A few days ago, something similar happened that has led all of us to this post.

Let me clarify a few things first before we go international. British law is based on common law. The underlying principle of common law is the principle that it is unfair to treat similar facts differently on different occasions. IT and computers are not likely to be governed by common law, unless there is a case precedent.

The next one is Tort law concerns civil wrong doings and is used as a civil action by one citizen against another. Tort law may be used in some cases of IT/Computers, for example under the Tort of negligence and copyright infringement.

The last one that I want to discuss is statutory law. This is the law that has been passed by parliament. ‘Statute’ is generic and collective, while ‘act’ is specific and singular. An act is thus a statute, and the acts generated by a legislative body are collectively referred to as satutes, but ‘act’ is normally used in the formal title of a statute. You could thus talk about ‘the statute on rural land use planning’ or ‘the statutes regarding rural land use planning’, but the title(s) of the actual statute(s) would be something such as ‘Rural Land Use Planning Act’.

As the UK is part of the European Union, the UK is subject to the Law of the European Union. That means that EU law has direct affect within the member states and overrules any other existent law.

In addition to the measures above, internationally, many governments assist each other through Extradition treaties. This is the official process whereby one nation or state surrenders a suspected or convicted criminal. In the UK, the Extradition Act 2003 underpins the high profile case of Gary McKinnon.

As I said in a previous post, the ugly side of social media, UK’s national law is adequate for dealing with national social media abuse but there are no international agreements/treaties in place where a cross border offence happens, for example, significant online abuse is concerned involving two individuals in two different countries. The encouraging factor I found during the investigation of that post was that even countries such as Pakistan have produced legislation to combat electronic crimes. The main act to combat computer crime within the UK is the Computer misuse act 1990

EC Directive on the Harmonisation of certain aspects of copyright and related rights in the information society 2001 (should have been implemented in EC countries in 2002; is proving controversial and has not yet been implemented in UK law)

Contracts for computer systems and software

Supply of Goods and Services Act 1982 (Software)

Sale of Goods Act 1979 (Hardware)

Misrepresentation Act 1967 (Hardware)

Unfair contract terms act 1977

Electronic commerce and contracting

Consumer protection – Distance Selling Regulations 2000

Torts

Civil liability may attach to a person independently of the existence of a contract; I.e. negligence, defamation, malicious falsehood and nuisance